CVE-2023-26059
https://notcve.org/view.php?id=CVE-2023-26059
An issue was discovered in Nokia NetAct before 22 SP1037. On the Site Configuration Tool tab, attackers can upload a ZIP file which, when processed, exploits Stored XSS. The upload option of the Site Configuration tool does not validate the file contents. The application is in a demilitarised zone behind a perimeter firewall and without exposure to the internet. The attack can only be performed by an internal user. • https://nokia.com https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2022-03 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-26060
https://notcve.org/view.php?id=CVE-2023-26060
An issue was discovered in Nokia NetAct before 22 FP2211. On the Working Set Manager page, users can create a Working Set with a name that has a client-side template injection payload. Input validation is missing during creation of the working set. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user. • https://nokia.com https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2022-04 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-26061
https://notcve.org/view.php?id=CVE-2023-26061
An issue was discovered in Nokia NetAct before 22 FP2211. On the Scheduled Search tab under the Alarm Reports Dashboard page, users can create a script to inject XSS. Input validation was missing during creation of a scheduled task. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user. • https://nokia.com https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2022-05 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-30759 – Nokia OneNDS 20.9 Insecure Permissions / Privilege Escalation
https://notcve.org/view.php?id=CVE-2022-30759
In Nokia One-NDS (aka Network Directory Server) through 20.9, some Sudo permissions can be exploited by some users to escalate to root privileges and execute arbitrary commands. Nokia OneNDS 20.9 has loose sudo permissions that can allow users to escalate privileges. • https://packetstormsecurity.com/files/171971/Nokia-OneNDS-20.9-Insecure-Permissions-Privilege-Escalation.html https://www.nokia.com/networks/products/one-nds • CWE-276: Incorrect Default Permissions •
CVE-2022-31244 – Nokia OneNDS 17 Insecure Permissions / Privilege Escalation
https://notcve.org/view.php?id=CVE-2022-31244
Nokia OneNDS 17r2 has Insecure Permissions vulnerability that allows for privilege escalation. Nokia OneNDS 17 has loose sudo permissions that can allow users to escalate privileges. • https://packetstormsecurity.com/files/171970/Nokia-OneNDS-17-Insecure-Permissions-Privilege-Escalation.html https://www.nokia.com/networks/products/one-nds • CWE-276: Incorrect Default Permissions •